Cache poisoning vulnerability on the OS level DNS cache in Ubuntu

Bug #1782225 reported by Fatemah Alharbi
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Confirmed
Undecided
Unassigned
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

We would like to report a cache poisoning vulnerability on the OS level DNS cache in Ubuntu. This vulnerability allows an off-path attacker to impersonate the DNS resolver and poisons the OS-wide DNS cache directly or through a port-preserving NAT. We have a paper describing the problem, please see the attachment.

Revision history for this message
John A Meinel (jameinel) wrote :

Not the place to report a DNS vulnerability, seems more like a PDF attack, so removing the attachment.
If this is legitimate, please submit against the DNS package in Ubuntu.

Changed in bzr:
status: New → Invalid
Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi John,

Can you please help to report this bug? I haven't used Launchpad before. Do you mean there is a section for Ubuntu on Launchpad? If so, where can I find it because the website is somehow misleading? Also, is there a section for DNS package bugs? Where can I find it?

Thank you,

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks John,

Fatemah, you can either attach the pdf here again or send it to <email address hidden> with gnupg keys available at https://wiki.ubuntu.com/SecurityTeam/Contacts

Thanks

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi Seth,

The pdf file is attached. Can you check it please?

Thank you,

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Fatemah,

Note that the resource limits set by `setrlimit(2)` (and the `ulimit(1)` shell built-in) are *mostly* per-process, not per-uid. The `RLIMIT_NPROC` setting limits how many processes a user may use, but `RLIMIT_NOFILE` describes how many file descriptors (and thus sockets) may be used per process.

To restrict a single user from consuming 20K descriptors then would require limiting the user to e.g. twenty processes and 1000 file descriptors each, or 1000 processes and twenty file descriptors each, etc. In practice limits this draconian are very difficult to implement and still have a usable computer.

The earliest non-djb reference I have for source port randomization is PowerDNS's recursor, which implemented the source port randomization in April 2006: https://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns

Can you let us know more about your publishing timeline?

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ubuntu uses systemd and dnsmasq for OS-level DNS cache. Readjusting package list.

no longer affects: bind (Ubuntu)
no longer affects: systemd (Ubuntu)
no longer affects: openvpn-systemd-resolved (Ubuntu)
no longer affects: bind9 (Ubuntu)
affects: bzr → systemd (Ubuntu)
Changed in systemd (Ubuntu):
status: Invalid → New
Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi Seth,

Thank you for the valuable feedback. The paper is going to be submitted to Infocom 2019: http://infocom2019.ieee-infocom.org/ and the deadline is July 31.

Please let me know if you have any question.

Thank you,

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi Marc,

Thank you for responding.

Please let me know if you have any question.

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi,

Any updates regarding the report?

Thank you,

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We'll probably simply disable caching by default.
The upstream systemd project may be interested in handling it in some better way.

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi all,

Can you please give me feedback so I can include it in the paper? The deadline is July 31st.

Thank you and I appreciate your time.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Fatemah, we don't intend to take any action until this is public. Once this is publicly known we will work with the systemd community and larger Linux communities on potential solutions.

Thanks

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

Hi all,

I am sending this email to update you about the status of our paper. The paper titled “Collaborative client-Side DNS Cache Poisoning Attack” is accepted in INFOCOM 2019; the conference site is: http://infocom2019.ieee-infocom.org . The paper is going to be published in April 2019. As a reminder, the paper talks about OS vulnerabilities that lead to OS-wide DNS cache poisoning attacks. One of the OSes that we targeted is Ubuntu. For confidentiality reasons, we cannot declare the status or the actions taken by the other OSes to defeat the attack. We would like to check whether Ubuntu is considering security updates regarding this issue.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Congratulations on getting your paper accepted. Very good news.

Ubuntu is still planning on waiting until this is public to address it, in order to discuss the best possible solution with the larger community.

Thanks

Revision history for this message
Fatemah Alharbi (fatemah-alharbi) wrote :

I hope this email finds you well.

I would like to share with you and your team this news from Apple. Apple contacted me regarding the vulnerabilities I found on macOS (specifically the ones related to the DNS service mDNSResponder). Consequently, On January 22, Apple released a new security update. They also asked to add the authors’ names under the additional acknowledgment section which you can in this URL: https://support.apple.com/en-us/HT209446

In addition, this news has drawn the public attention, especially in the middle east. I also was interviewed by the following TV channels during the past week (in Arabic):
1- Alarabiya (the most popular news channel in the middle east): https://www.youtube.com/watch?v=xaDYKbcNSuE&feature=youtu.be
2- Rotana Khalegiya: https://www.youtube.com/watch?v=6JkSZGeG2ng&t=36s
3- Alresalah: https://www.youtube.com/watch?v=5cc6QUhKsgo&t=8s
4- There are also so many news papers and magazines covered this news. The following are the most important and popular ones:
a. Arab News (in English): http://www.arabnews.com/node/1444386/media
b. Sabq: https://sabq.org/LjY26c
c. Okaz: https://www.okaz.com.sa/article/1702388
d. Sayidaty: https://www.sayidaty.net/node/837351/%D8%A3%D8%B3%D8%B1%D8%A9-%D9%88%D9%85%D8%AC%D8%AA%D9%85%D8%B9/%D8%A3%D8%AE%D8%A8%D8%A7%D8%B1-%D8%A3%D8%B3%D8%B1%D8%A9-%D9%88%D9%85%D8%AC%D8%AA%D9%85%D8%B9/%D8%B7%D8%A7%D9%84%D8%A8%D8%A9-%D8%AF%D9%83%D8%AA%D9%88%D8%B1%D8%A7%D9%87-%D8%B3%D8%B9%D9%88%D8%AF%D9%8A%D8%A9-%D8%AA%D9%83%D8%AA%D8%B4%D9%81-%D8%AB%D8%BA%D8%B1%D8%A9-%D9%81%D9%8A-%D8%A3%D9%86%D8%B8%D9%85%D8%A9-%D8%A3%D8%A8%D9%84#photo/1
e. Saudi News: http://www.saudianews.org/post/101854/%D8%A8%D8%A7%D9%84%D9%81%D9%8A%D8%AF%D9%8A%D9%88-%D8%B7%D8%A7%D9%84%D8%A8%D8%A9-%D8%AF%D9%83%D8%AA%D9%88%D8%B1%D8%A7%D9%87-%D8%B3%D8%B9%D9%88%D8%AF%D9%8A%D8%A9-%D8%AA%D9%83%D8%AA%D8%B4%D9%81-%D8%AB%D8%BA%D8%B1%D8%A9-%D8%A3%D9%85%D9%86%D9%8A%D8%A9-%D8%BA%D8%A7%D8%A8%D8%AA-%D8%B9%D9%86-%D8%B4%D8%B1%D9%83%D8%A9-%D8%A3%D8%A8%D9%84
f. UCR News (on Twitter): https://twitter.com/UCRiverside/status/1091417728932548608
g. UCR Computer Science department (on Twitter): https://twitter.com/UCRiverside/status/1091417728932548608
h. If you are interested, I tried to post some other news coverage on my Twitter account (actually there are a lot, but I posted the most important ones) : @FatemahAlharbi

Please let me know if you have questions.

Thank you,

information type: Private Security → Public Security
Changed in dnsmasq (Ubuntu):
status: New → Confirmed
Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Dan Streetman (ddstreet) wrote :

please reopen if this is still an issue

Changed in systemd (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.